[TYPO3-core] RFC #12430: Install Tool Password gets transmitted plain text

Bernhard Kraft kraftb at kraftb.at
Mon Nov 2 10:19:39 CET 2009


Ernesto Baschny [cron IT] schrieb:

> Using the encryptionKey is not really possible for the session storage,
> as there is not encryptionKey set once the 1-2-3 installer runs, so that
> the session directory will change as soon as the encryptionKey changes
> (thus logging the user "off").

I know that. Before this change a User had to relogin when changing the password.
Now he would have to relogin when changing the encryption key.



The reason behind this:

If you try the patch, first try to login into the install tool with a wrong password.
Now you'll see a nice "Wrong password" ->message() instead of the plain-text showing
the md5 value of the password.

As now the neither the plain-text password nor its md5-sum gets transmitted, I can't
show the md5 value to the user, so he can copy&paste it into the install tool. As most
admins do not have an md5-calculator by hand, I fixed this problem, by adding a button
"Get MD5". It will show the MD5 value of the password you have currently filled into
the login-form of the install tool. You can then copy&paste this value to your localconf.php.

Now the problem is: the session is stored depending on the install tool password. So if
you do the following steps:
1: fill in a password and press "Login"
2: get error message "wrong password"
3: fill in your wanted password and use the "Get MD5" button to get its md5 sum
4: copy&paste that value to localconf.php
5: directly press "Login" without reloading the install tool login form
6: get error message: "wrong password"

You wont expect the last step. Because you just logged in with the password, whose md5
value you just copied into localconf.php. The reason for this is: The challenge value is
also stored in the session. So if you change the install tool password, you'll loose the
stored challenge value, and can not caluclate the correct response on the server.

It's quite hard to explain if you haven't tried the patch. I'll be availabl in IRC if
you would like to discuss this.


greets,
Bernhard


More information about the TYPO3-team-core mailing list